Separated epp login and epp request abilities #2742

2025-05-18 02:09:39 +02:00 · 2015-08-19 01:21:16 +03:00 · 2015-08-19 01:21:16 +03:00 · 34f1d7d254
commit 34f1d7d254
parent 598ab7ba63
5 changed files with 83 additions and 61 deletions
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@ -56,6 +56,15 @@ class Epp::SessionsController < EppController
      success = false
    end

+    if success && @api_user.cannot?(:create, :epp_login)
+      epp_errors << {
+        msg: 'Authentication error; server closing connection (API user does not have epp role)',
+        code: '2501'
+      }
+
+      success = false
+    end
+
    if success && !ip_white?
      epp_errors << {
        msg: 'Authentication error; server closing connection (IP is not whitelisted)',
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@ -71,7 +71,7 @@ class Registrar::SessionsController < Devise::SessionsController
        redirect_to :back and return
      end

-      if @api_user.can_make_api_calls?
+      if @api_user.can(:create, :epp_login)
        unless @api_user.registrar.api_ip_white?(request.ip)
          flash[:alert] = I18n.t(:ip_is_not_whitelisted)
          redirect_to :back and return
--- a/app/controllers/registrar_controller.rb
+++ b/app/controllers/registrar_controller.rb
@ -21,7 +21,7 @@ class RegistrarController < ApplicationController
    riw = current_user.registrar.registrar_ip_white?(request.ip)

    aiw = true
-    if current_user.can_make_api_calls?
+    if current_user.can?(:create, :epp_request)
      aiw = current_user.registrar.api_ip_white?(request.ip)
    end

--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -24,7 +24,77 @@ class Ability
    can :create, :registrant_domain_update_confirm
  end

+  #
+  # User roles
+  #
+
+  def super # Registrar/api_user dynamic role
+    static_registrar
+    static_epp
+    billing
+  end
+
+  def epp # Registrar/api_user dynamic role
+    static_registrar
+    static_epp
+  end
+
+  def billing # Registrar/api_user dynamic role
+    can :view, :registrar_dashboard
+    can(:manage, Invoice) { |i| i.buyer_id == @user.registrar_id }
+    can :manage, :deposit
+    can :read, AccountActivity
+    static_epp_login # billing can establis epp connection in order to login
+  end
+
+  def customer_service # Admin/admin_user dynamic role
+    user
+    can :manage, Domain
+    can :manage, Contact
+    can :manage, Registrar
+  end
+
+  def admin # Admin/admin_user dynamic role
+    customer_service
+    can :manage, Setting
+    can :manage, BlockedDomain
+    can :manage, ReservedDomain
+    can :manage, ZonefileSetting
+    can :manage, DomainVersion
+    can :manage, Pricelist
+    can :manage, User
+    can :manage, ApiUser
+    can :manage, AdminUser
+    can :manage, Certificate
+    can :manage, Keyrelay
+    can :manage, LegalDocument
+    can :manage, BankStatement
+    can :manage, BankTransaction
+    can :manage, Invoice
+    can :manage, WhiteIp
+    can :read, ApiLog::EppLog
+    can :read, ApiLog::ReppLog
+    can :update, :pending
+    can :destroy, :pending
+    can :create, :zonefile
+    can :access, :settings_menu
+  end
+
+  #
+  # Static roles, linked from dynamic roles
+  #
+  def static_epp_login
+    can(:create, :epp_login)
+  end
+
  def static_epp
+    # REPP
+    can(:manage, :repp)
+
+    # EPP
+    static_epp_login
+    can(:create, :epp_requests)
+
    # Epp::Domain
    can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw }
    can(:check,    Epp::Domain)
@ -45,8 +115,6 @@ class Ability
    can(:renew,  Epp::Contact)
    can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }

-    # REPP
-    can(:manage, :repp)
  end

  def static_registrar
@ -73,62 +141,11 @@ class Ability
    can :show, :dashboard
  end

-  # Registrar/api_user dynamic role
-  def super
-    static_registrar
-    billing
-    epp
-  end

-  # Registrar/api_user dynamic role
-  def epp
-    static_registrar
-    static_epp
-  end

-  # Registrar/api_user dynamic role
-  def billing
-    can :view, :registrar_dashboard
-    can(:manage, Invoice) { |i| i.buyer_id == @user.registrar_id }
-    can :manage, :deposit
-    can :read, AccountActivity
-  end
-
-  # Admin/admin_user dynamic role
-  def customer_service
-    user
-    can :manage, Domain
-    can :manage, Contact
-    can :manage, Registrar
-  end
-
-  # Admin/admin_user dynamic role
-  def admin
-    customer_service
-    can :manage, Setting
-    can :manage, BlockedDomain
-    can :manage, ReservedDomain
-    can :manage, ZonefileSetting
-    can :manage, DomainVersion
-    can :manage, Pricelist
-    can :manage, User
-    can :manage, ApiUser
-    can :manage, AdminUser
-    can :manage, Certificate
-    can :manage, Keyrelay
-    can :manage, LegalDocument
-    can :manage, BankStatement
-    can :manage, BankTransaction
-    can :manage, Invoice
-    can :manage, WhiteIp
-    can :read, ApiLog::EppLog
-    can :read, ApiLog::ReppLog
-    can :update, :pending
-    can :destroy, :pending
-    can :create, :zonefile
-    can :access, :settings_menu
-  end
  # rubocop: enable Metrics/LineLength
  # rubocop: enable Metrics/CyclomaticComplexity
  # rubocop: enable Metrics/PerceivedComplexity
+
+
 end
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@ -58,10 +58,6 @@ class ApiUser < User
    @registrar_typeahead || registrar || nil
  end

-  def can_make_api_calls?
-    ([SUPER, EPP] & roles).any?
-  end
-
  def to_s
    username
  end